China: NPC passes Data Security Law
The National People's Congress of the People's Republic of China ('NPC') announced, on 10 June 2021, that the Data Security Law of the People's Republic of China was adopted by the 29th meeting of the Standing Committee of the 13th NPC. In particular, the Data Security Law regulates data processing activities, ensures data security, as well as protects the legitimate rights and interests of individuals and organisations, among other things. Specifically, the Data Security Law introduces additional requirements for the processing of important data including the appointment of a person in charge of data security and the conducting of risk assessments which must be sent to the relevant regulatory departments.
Galaad Delval, independent privacy professional, told OneTrust DataGuidance, "If there is one element to highlight for foreign companies, it is the increased importance given to the processing of important data. A concept already laid out in 2016 through the Cybersecurity Law 2016, but which has since gained traction to become a central component of cybersecurity governance. For foreign companies, beyond the obligations tied with important data, such as more controlled cross-border transfers, the main difficulty will be on defining what is the important data relevant to both their industry and location. Because Article 21 of the Data Security Law entrusts the work of defining what are important data to the region and industrial regulators, all companies should set up a regulatory follow-up team in order to be able to track the development of their relevant important data catalogue, and in time, have their internal process ready for increased obligations tied to those important data under the Data Security Law. To be noted, those catalogues can be expected to be in Chinese only and without any translation."
In addition, Dr. Michael Tan Partner at Taylor Wessing, told OneTrust DataGuidance, "[The] key impact on international business include, among others, at first [is the] enhanced obligation to ensure data security like establishing a data security management system, training and other technical means to ensure data security. Another important impact will be on data cross border transmission. i.e. providing data e.g. by China subsidiaries of a foreign company to foreign law enforcement agencies or courts shall be subject to prior approval by competent PRC authorities. Also data activities outside China which jeopardizes China's national security, public interest or interest of Chinese companies/citizens shall also be governed by this law which could potentially create an issue for those companies that is taking an 'offshore delivery' model to serve their Chinese customers from abroad.
Organisations should prioritise given the short timeframe until it enters into effect, as this law applies to all companies irrespective whether you are within or outside China, companies shall already do a data mapping exercise to pin down potential risk spots within their respective organizations. The next step shall be to raise awareness on impact of this law including the others to come like the Personal Information Protection Law and reserve necessary organizational resources to bring up their data compliance."
The Data Security Law will enter into effect on 1 September 2021.